Default ORPort 443 [was: Re: German data rentention law]
7v5w7go9ub0o
7v5w7go9ub0o at gmail.com
Sun Oct 19 17:08:29 UTC 2008
Erilenz wrote:
> * on the Sun, Oct 19, 2008 at 07:14:31AM -0500, Scott Bennett wrote:
>
>>> Besides, opening ports < 1024 usually requires root-privileges,
>>> which could introduce serious security issues if an exploitable
>>> flaw were found in Tor. You can still advertise port 443 as your
>>> ORPort and listen on 9001, but this requires some port-forwarding
>>> magic, which is not entirely feasible for a default
>>> configuration. (But your other reason is sound as well)
>> Also good points. Another is that an unprivileged user on a multi-user
>> system may wish to run a tor relay, which would require a few configuration
>> tricks, but should definitely be doable. However, as you point out, an
>> unprivileged user ought not to be able to open a secured port, so the default
>> should not be a port in the secure ports range.
>
> I just took a quick glance and there seem to be at least a couple of hundred
> nodes running an OR port on 443, so people must be taking note of the
> documentation at http://www.torproject.org/docs/tor-doc-relay.html.en
>
Indeed! And these would be a couple of hundred nodes that are not
running HTTPS servers, and have likely configured an unprivileged port
assignment of 443 - either through configuration changes of the OS, or
as in my case, by running TOR in a chroot jail with a wrapper that drops
privilege.
Sigh......It is SO easy to come up with "gotchas" on any proposal to
change default rules ....... (e.g. consider all the "gotchas" on
allowing default access to mail ports).
The question SHOULD be; "will the change in defaults work well in
most situations, and in general improve the goals of TOR?" It should
NOT be, "can I find a "gotcha" and kill the suggestion." In those cases
where a conflict occurs, the operator would simply deactivate the
default 443 TOR port.
I don't know the answer to the "real" question; I doubt that anything
will confuse NSA for long; but I suspect there are lesser agencies in
the US and other countries that would find their monitoring and data
(including connection info.) retention schemes confounded by it.
More information about the tor-talk
mailing list